full-artist-27215
04/29/2021, 2:47 PMpulumi_aws.iam.get_role
(using Python, FWIW) in order to grant it permission to access an S3 bucket. The stack creation and permission granting are currently in the initialization of a Component Resource. As I was developing my application, I started out with just the CloudFormation stack, and only later added this permission granting step. Because of this, the CloudFormation stack (and thus the Role) already existed by the time I added the get_role
call. Now, however, I am creating a new instance of my Pulumi stack from scratch, and nothing exists. I had assumed that my get_role
call would be fine, given that I'm using the Outputs of the CloudFormation stack, e.g.
queue_instance_role = aws.iam.get_role(
name=self.cf_stack.outputs["InstanceRoleName"],
)
but this apparently isn't sufficient; I'm getting the following error:
Exception: invoke of aws:iam/getRole:getRole failed: Missing required argument: The argument "name" is required, but no definition was found. ()
This is on Pulumi 2.25.2.
Is there a way to force this get_role
call to wait until the CloudFormation stack is created before being invoked? Thanks.bored-oyster-3147
04/30/2021, 3:10 PMStack
- do you mean the pulumi concept of a Stack? Like is all of this occurring in one pulumi stack?
Do you need to get_role
? Is the role created further up in the stack with like:
var role = new Aws.Iam.Role("role", ...);
And if it is, is the name you want a pulumi output on that object, like role.RoleName
? And if it isn't can you provide the role ARN on the new policy instead of the name? Since that is definitely an output.get_x
methods for things that are created outside of the stackfull-artist-27215
04/30/2021, 3:22 PMbored-oyster-3147
04/30/2021, 3:44 PMget_role
. That is why the ordering is broken. Can you link me reference for the 3rd party Cloudformation stack definition?full-artist-27215
04/30/2021, 3:47 PMget_role
, then what? Do I need to create a separate Pulumi stack that only brings up that Cloudformation stack, and then have the rest of my code in another Pulumi stack and make references? That could also get complicated because I actually have several instances of the Cloudformation stack that I need to work with.bored-oyster-3147
04/30/2021, 3:50 PMfull-artist-27215
04/30/2021, 3:52 PMbored-oyster-3147
04/30/2021, 3:53 PMfull-artist-27215
04/30/2021, 3:53 PMbored-oyster-3147
04/30/2021, 3:54 PMcloudformation.stack.outputs
has a role name that you are using?full-artist-27215
04/30/2021, 3:55 PMqueue_instance_role = aws.iam.get_role(
name=self.cf_stack.outputs["InstanceRoleName"],
)
bored-oyster-3147
04/30/2021, 3:55 PMfull-artist-27215
04/30/2021, 3:59 PMbored-oyster-3147
04/30/2021, 3:59 PMfull-artist-27215
04/30/2021, 4:05 PMbored-oyster-3147
04/30/2021, 4:08 PMvar policy = new Aws.S3.BucketPolicy("name", {
role_name: self.cf_stack.outputs["InstanceRoleName"],
});
full-artist-27215
04/30/2021, 4:14 PMget_role
expects a str
and not an Output[str]
... presumably if the latter were true, this would work.bored-oyster-3147
04/30/2021, 4:15 PM<http://self.cf|self.cf>_stack.outputs["InstanceRoleName"]
was an Output[str]
full-artist-27215
04/30/2021, 4:21 PMbored-oyster-3147
04/30/2021, 4:22 PMAws.Iam.Role
that is returned by get_role
?full-artist-27215
04/30/2021, 4:26 PMbored-oyster-3147
04/30/2021, 4:28 PMget_role
I don't think. Get_role
is just meant to be used to retrieve resources that don't belong to your stack, which is why it wasn't waiting for the role to be created.. because it assumes it exists outside your stackOutput[str]
but rather a str
, since it isn't supposed to depend on anything in the stack